RE: Win2000 IKE and 3des

[Paul Koning <pkoning@xedia.com>]

>>>>> "Chun" == Chun Ye <chunye@Exchange.Microsoft.com> writes:

 Chun> This is not a design error.  If you have an export driver, how
 Chun> can you expect to run 3DES?

I didn't expect to use 3DES if that isn't supported.  I never said
that.

What I said is that the system should either obey the instructions
given to it, or reject them.  It should never do something less secure
than what it was told to do.  Doing so is a major design error.
Nothing less.  

 Chun> Now why we can't reject it.  Envision you are running a
 Chun> world-wide corporation where domain-based policies are assigned
 Chun> to clients at different sites at different counties.  Some of
 Chun> them run the export version of Win2K.  Since it is near
 Chun> impossible to know what version of Win2K clients are running,
 Chun> so all clients policies are set to use 3DES.  On the corp-side,
 Chun> some servers will be configured to accept 3DES only and others
 Chun> both DES and 3DES.  If you don't weaken 3DES on the export
 Chun> clients, there is no way to talk to servers with DES
 Chun> configured.

That reasoning makes no sense whatsoever.  

If I wanted a configuration that is valid for either kind of crypto
module, I would configure "3DES preferred, DES accepted".  (Support
for a policy of that form would be useful if it isn't supported
currently.)

But if the policy is set to "3DES only" then that means 3DES ONLY.  It
does NOT mean "3DES or whatever random insecure other cipher some
random programmer decided to give me instead".

	paul

---

Follow-Ups:

• RE: Win2000 IKE and 3des
• From: "Michael Reilly" <michaelr@cisco.com>

References:

• RE: Win2000 IKE and 3des
• From: "Chun Ye" <chunye@Exchange.Microsoft.com>

---

• Prev by Date: RE: Win2000 IKE and 3des
• Next by Date: RE: Win2000 IKE and 3des
• Prev by thread: RE: Win2000 IKE and 3des
• Next by thread: RE: Win2000 IKE and 3des
• Index(es):
  • Main
  • Thread